s4:dsdb/password_hash: Honor password complexity settings.

Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.

The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
 Computers" MMC Snap-In.

Please note that this bug was caused by a mistake in the documentation.

Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.

Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 620de755d88e2d33a998b08a9111e2fef0b955b7..4644628b9f27a2942427cd854c8e2d9808639d34 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2188,11 +2188,6 @@ static int setup_io(struct ph_context *ac,
                & (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
                        | UF_SERVER_TRUST_ACCOUNT));
 
-       if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) {
-               /* see [MS-ADTS] 2.2.15 */
-               io->u.restrictions = 0;
-       }
-
        if (ac->userPassword) {
                ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
                                                   ac->req->operation,